CLI Commands for Troubleshooting Palo Alto Firewalls

When troubleshooting network and security issues on many different devices/platforms I am always missing some command options to do exactly what I want to do on the device I am currently working with. Therefore I list a few commands for the Palo Alto Networks firewalls to have a short reference / cheat sheet for myself. Maybe some other network professionals will find it useful.

However, since I am almost always using the GUI this quick reference only lists commands that are useful for the console while not present in the GUI.

This blog post will be a living document. Whenever I use some “new” commands for troubleshooting issues, I will update it. If there are any useful commands missing, please send me a comment!

admin@MakeFirewallGreatAgain(active)>show system state filter-pretty sys.s1.p19.phy

sys.s1.p19.phy:{

link-partner:{},

media:SFP-Fiber,

sfp:{

connector:LC,

encoding:8B10B,

identifier:SFP,

transceiver:1000B-SX,Idist,SN,

vendor-name:AVAGO,

vendor-part-number:AFBR-5715PZ-JU1,

vendor-part-rev:,

},

type:Ethernet,

}

Find

Since PAN-OS 6.0, the “find” command helps searching for the needed command in case you do not fully know the whole set of commands. With “find command”, all possible commands are displayed. With “find command keyword xyz”, all commands containing “xyz” are shown.

1

2

findcommand

findcommandkeyword<word-to-search-for>

Ping, Traceroute, and DNS

A standard ping command looks like that:

1

ping host8.8.8.8

Note that this ping request is issued from the management interface! To use a data interface as the source, the option
source <ip-address> can be used. To use IPv6, the option is
inet6 yes. For example:

1

ping inet6 yes source2003:51:6012:120::1host2a00:1450:4008:800::1017

A traceroute command looks like that:

1

traceroute host8.8.8.8

The
source <ip-address> can be used to specify the outgoing interface. However, for IPv6, the option is dissimilar to the ping command:
ipv6 yes.

To resolve DNS names, e.g., to test the DNS server that is configured on the management interface, simply ping a name:

1

ping host ip.webernetz.net

Routing

(For a “show” of the routing table refer to the “Standard Show Commands” above.) Debugging dynamic routing protocols functions like this:

1

2

3

4

5

debug routing pcap<routing-protocol>on

debug routing pcap show

debug routing pcap<routing-protocol>view

debug routing pcap<routing-protocol>off

debug routing pcap<routing-protocol>delete

Or follow the routed.log:

1

tailfollow yes mp-log routed.log

Test

The Palo offers some great test commands, e.g., for testing a route-lookup, a VPN connection, or a security policy match. Use the question mark to find out more about the test commands. Here are some useful examples:

Viewing Management-Plane Logs

In order to view the debug log files, “less” or “tail” can be used. The keyword “mp-log” links to the management-plane logs (similar to “dp-log” for the dataplane-logs). The tail command can be used with “follow yes” to have a live view of all logged messages. And as always: Use the question mark in order to display all possibilities.

Examples:

1

2

3

4

less mp-log?

less mp-log dnsproxyd.log

tailfollow yes mp-log dhcpd.log

tailfollow yes mp-log routed.log

Capturing Management Packets

To view the traffic from the management port at least two console connections are needed. The first one executes the tcpdump command (with “snaplen 0” for capturing the whole packet, and a filter, if desired),

1

tcpdump snaplen0filter"port 53"

while the second console follows the live capture:

1

view-pcap follow yes mgmt-pcap mgmt.pcap

Test traffic can be generated with a third console session, e.g.:

1

ping host webernetz.net

Later on, the pcap file can be moved to another computer with the following command:

1

scp export mgmt-pcap from mgmt.pcapto<username@host:path>

Alternatively, tftp can be used:

1

tftp export mgmt-pcap from mgmt.pcapto<host>

Live Viewing of Packet Captures

When using the Packet Capture feature on the Palo Alto, the filter settings can easily be made from the GUI (Monitor -> Packet Capture). These settings as well as the current size of the running packet capture files can be examined with:

1

debug dataplane packet-diag show setting

Now, the current capturing in follow mode can be viewed with:

1

view-pcap follow yes filter-pcap

And for a really detailed analysis, the counters for these filtered packets can be viewed. This exactly reveals how many packets traversed which way, and so on. With the “delta yes” option, only the counter values since the last execution of this command are shown. The “packet-filter yes” option uses the packet filter from the GUI (Monitor -> Packet Capture) to filter the counters:

Examining the Session Table

If a network connection failure is not found in the traffic log, the session table can be asked for sessions in DISCARD state, filtered based on its source, or whatever. This is useful at the console because the session browser in the GUI does not store the filter options and is therefore a bit unhandy. All commands start with “show session all filter …”, e.g.:

1

2

3

show session all filter state discard

show session all filter application dns destination8.8.8.8

show session all filter from trust tountrust application ssl state active

To have an overview of the number of sessions, configured timeouts, etc.:

1

show session info

For investigating a single session in more detail, use:

1

show session id<id>

Watch out for the: “Hardware session offloading” line. If it is “true” you might want to disable the fastpath during troubleshooting (inside the config mode):

To see whether there are some “predict” sessions in which the Palo Alto uses a ALG (appliation layer gateway) to predict dynamic ports (e.g., SIP, active FTP), use this command:

1

show session all filter typepredict

A specific session can then be cleared with:

1

clearsession id<value>

Reason for Session Close

[UPDATE] Since PAN-OS 6.1 the session end reason is a column within the GUI at Monitor -> Logs -> Traffic. Hence this is not needed anymore.[/UPDATE]

You cannot see the reason for a closed session in the traffic log in the GUI. For this purpose, find out the session id in the traffic log and type in the following command in the CLI (Named the “Session Tracker“). Note the last line in the output, e.g. “tracker stage firewall : Aged out” or “tracker stage firewall : TCP FIN”. This shows what reason the firewall sees when it ends a session:

1

show session id<id>

Alternatively, the traffic log on the CLI can display the session tracker when used with the option “show-tracker equal yes” such as:

VPN Issues

The general show commands for VPN sessions are:

1

2

show vpn gateway

show vpn ike-sa

(Palo Alto: How to Troubleshoot VPN Connectivity Issues). Though you can find many reasons for not working site-to-site VPNs in the system log in the GUI, some more CLI commands might be useful. To reveal whether packets traverse through a VPN connection, use this: (it shows the number of encap/decap packets and bytes, i.e., the actual traffic flow)

1

show vpn flow name<value>

Or use the counter values for ipsec issues:

1

show counter global filter deltayes|match ipsec

And for a detailled debugging of IKE, enable the debug (without any more options)

1

debug ike pcap on

then follow the pcap with

1

view-pcap follow yes debug-pcap ikemgr.pcap

and do NOT forget to set the debugging off!

1

debug ike pcap off

The complete ikemgr.pcap can be downloaded from the Palo with scp or tftp, e.g.:

1

scp export debug-pcap from ikemgr.pcapto<username@host:path>

To clear or to initiate an IPsec connection use the following commands for either phase 1 (IKE) or phase 2 (IPsec):

1

2

3

4

clearvpn ike-sa gateway<value>

clearvpn ipsec-sa tunnel<value>

testvpn ike-sa gateway<value>

testvpn ipsec-sa tunnel<value>

GlobalProtect

Current users and flow:

1

2

show global-protect-gateway current-user

show global-protect-gateway flow

Displaying the Config in Set Mode

The XML output of the “show config running” command might be unpractical when troubleshooting at the console. That’s why the output format can be set to “set” mode:

1

set cli config-output-format set

Now, enter the
configure mode and type
show. This reveals the complete configuration with “set …” commands. (Click here for more information.) Here is a sample output of a particular show command:

The pipe (|) can be used to grep certain values with the “match” keyword, such as:

1

2

3

weberjoh@fd-wv-fw02# show | match 192.168.120.2

set deviceconfig system ip-address192.168.120.2

set address h_fd-wv-fw02_mgmt ip-netmask192.168.120.2

To show the complete config without breaks (which is “terminal length 0” on Cisco devices), the following command can be used (BEFORE the configure mode is entered):

1

set cli pager off

To omit line breaks (carriage returns), use this one:

1

set cli terminal width500

High Availability

Some show commands for the HA:

1

2

3

4

5

6

7

show high-availability?

show high-availability all

show high-availability state

show high-availability link-monitoring

show high-availability path-monitoring

show high-availability control-linkstatistics

show high-availability state-synchronization

The following request can be used to trigger an HA failover, either for the local device or the “peer” device:

1

2

3

4

request high-availability state suspend

request high-availability state functional

request high-availability state peer suspend

request high-availability state peer functional

To verify the session synchronization (HA2), you can either use the
show high-availability state-synchronization as shown above on both devices (to verify that “sent” is increasing on the active unit while “received” is increasing on the passive unit) or you can look at the session browser on the passive device whether there are the same count of sessions as on the active device.

Following is a demo output of the “state-synchronization” from both devices in a cluster:

Export/Import Files

To copy files from or to the Palo Alto firewall, scp or tftp can be used. The commands have both the same structure with “export … to” or “import … from”, e.g.:

1

2

3

4

scp export log system to<username@host:path_to_destination_filename>

scp import software from<username@host:path>

tftp export configuration from running-config.xmlto<tftp-host>

tftp import url-block-page from<tftp-host>

User-IDs and Groups

State of the LDAP server connections incl. the listing of all groups:

1

show user group-mapping state all

Group mapping and user-id agent refresh (=update) and reset (=delete and reload):

1

2

3

4

5

debug user-idrefresh group-mapping all

debug user-idrefresh user-idagent all

debug user-idreset group-mapping all

debug user-idreset user-id-agent all

Show the group memberships for a particular user:

1

show user user-IDs match-user<value>

Show the members of a particular group:

1

show user group name"AD\name-of-the-group"

IP to User mapping for all users or for a particular user. (The match value does not work with a backslash, so the username must be specified without the domain):

1

2

show user ip-user-mapping all

show user ip-user-mapping all|match<username>

User-ID cache clearance. Note that you must clear both, the dataplane AND the management plane (…-mp), to really delete an IP mapping. Since the MP pushes the mapping to the DP you should clear the MP first. More info here.

1

2

3

4

5

clearuser-cache-mp all

clearuser-cache-mp ip<ip>

clearuser-cache all

clearuser-cache ip<ip>

IP Addresses of FQDN Objects

When using objects with FQDNs, the current IP addresses are not shown in the GUI. The following command displays respectively refreshes them:

1

requestsystemfqdn{show|refresh}

To set the refresh timer to another value, use the following commands:

1

2

3

configure

set deviceconfig system fqdn-refresh-time<600-14399>

commit

To verify this setting you can “show” the configuration with pipe and match. If you are in the default cli config-output-format it looks like this:

1

2

3

weberjoh@pa# show | match fqdn-ref

fqdn-refresh-time600;

[edit]

When you are in the “cli” config-output-format it looks like that:

1

2

3

weberjoh@pa# show | match fqdn-ref

set deviceconfig system fqdn-refresh-time600

[edit]

Now, as in my case I am updating the FQDNs every 600 s = 10 m, I can see the appropriate job every 10 minutes:

DNS Proxy

To verify the functionality of DNS proxy objects, at least two commands are useful. Both outputs should speak for themselves:

1

2

show dns-proxy statistics all

show dns-proxy cache all

Active URL Vendor/Database

I had some issues with the two different URL databases “brightcloud” and “PAN-DB”. This is the command to show unambiguously which vendor is active on the PA (independent of the licenses):

1

show system setting url-database

The output is either brightcloud or paloaltonetworks. The standard URL DB up to PAN-OS 5.0 is brightcloud. Beginning with PAN-OS 6.0, the default is PAN-DB (refer to the release notes, section “Changes to Default Behavior”). To change the vendor (of course only if it is licensed), click the “Activate” link under licenses in the GUI.

PAN-DB URL Test & Cache

To show the category of a specific URL, use one of the following commands:

1

2

3

testurl<fqdn>

testurl-info-cloud<fqdn>

testurl-info-host<fqdn>

To display the current URL cache from the PAN-DB, two steps are required. The first one is the creation of a logfile which contains all entries and the second one is to display this logfile:

1

2

show system setting url-cache all

less dp-log dp_url_DB.log

Fan Speed

Ok, this is not a troubleshooting command, but nevertheless very useful. It sets the fan speed to “auto” which immediately drops the noise of the fan, e.g. on a PA-200:

1

set system setting fan-mode auto

Defaults

Just for reference:

Default Management Interface IP: 192.168.1.1

Login: admin

Password: admin

To change the static IP settings of the management inferface via the console:

1

2

3

configure

set deviceconfig system ip-address192.168.1.5netmask255.255.255.0default-gateway192.168.1.1dns-setting servers primary8.8.8.8

commit

Or to change it to a DHCP client (of the management interface), use this:

1

2

3

configure

set deviceconfig system typedhcp-client send-hostname yes send-client-idno accept-dhcp-domain no accept-dhcp-hostname no

commit

And wait for a console message such as
DHCP:newip10.100.20.175:mask255.255.255.128 . Otherwise you can show the management IP address via
show interfacemanagement . If you later on want to change back to static IP addresses you must not only use the set command above (for the mere IP address) but also change the type back to static:
set deviceconfig system typestatic.

To perform a factory reset without direct access to the firewall via a console cable, you can use this procedure.

So is the command you list “set network virtual-router NAME-OF-THE-VR routing-table ip static-route NAME-OF-THE-ROUTE option no-install”… the CLI command one would use to delete a pre-existing route (once committed)? OR is there another command to run besides the one you mention ?

Occam’s razor strikes again! replace the “set” with “delete”.. It does surprise me though that such a simple, and different from other platforms, way of deleting, removing, unsetting or no to a command is not readily documented or discovered through out the Web or Palo Alto.. Just say’n!… had to figure it out solo..

Like Show configuration | in “value”. is there any commands like this in Palo alto to see the particular config,

For Ex : To see the configuration of IP ” 172.16.10.0/24″ we used this command in cisco “show run | in 172.16.10.0” it will show the configuration details.. please let me know the command in Palo alto for the same .

Hi Vishnu,
yeah, good question. I just updated the correspondant section in this post for you: “Displaying the Config in Set Mode”.

Note that you could use a similar command in the standard CLI view (not in the “configure” view):
“show config running | match 192.168.120.2”
However, this is not very useful since you onle get single XML lines without any context around the lines.

How to configure Vlan in palo alto. My ISP gave me the wan IP and Vlan id . They asking me to configure in the interface where ISP connected. Could you help me. I need a sample configuration of Palo alto . Kindly sent to mail id : aravindramesh11@gmail.com

If client and server negotiates DH based cipher suites, then decryption is not possible. Also, there are certain RSA based cipher suites which PA is not going to decrypt. Check PA’s documents for list of RSA cipher which PA is not going to decypt.

Take packet captures on client machine and if you see DH based cipher suites negotiated by server in server hello, then force the server to negotiate on RSA based cipher suites.

Otherwise, I don;t any reason for decryption failure, if your decryption policy covers the interested traffic.

Why don’t you use the GUI for these requests? Simply type in the IP address or name or whatever in the search field. ;)
However, if you want to use the CLI: set the output format to set “set cli config-output-format set”, go into the configure mode “configure” and grep the IP address or whatever “show | match 192.168.0.1”.

Great blog.
Few queries . May it covered in trail but still very helpful if someone respond:
# in cli mode, how to check routing for 1 of tje destionation and accordingly i can see the interface from which it go out and finally i can see the zone binded with that interface.
This is very basic to create policy in GUI mode.

One of our client using paloalto PA3050 model. They have a 50 mbps Vodafone lease line,its working fine when we directly connected to the router. but if we connected through our firewall then upload speed is come upto 2 mbps only.

I want to check which route is matching for some host IP like 10.155.7.33. When I run the command “show routing route destination 10.155.7.33/32” showing nothing. Although I have matching route 10.115.7.0/24 in the routing table. If does not match, it should show 0/0 default route

yes, you are displaying only the mere routing table and not an “intelligent query”. Please try:
“test routing fib-lookup virtual-router default ip 10.155.7.33”
This will show you the exit interface and the next-hop of the route.

Hi,
Can someone let know what’s a good way (if there is one) to check what debugs were configured and if someone failed to turn them off, and the CPU spikes happen, there should be a nice way to turn those off after seeing what set them on.
I was told it is virtually impossible to see the active debugs and there is no ‘undebug all” cisco-fashion command on PA I suppose.

How to I delete/uninstall all the process related to Global Protect Palo Alto using command line. I think the command is set clean palo….. Not sure what exactly it is. Could you please provide me the command?

it is quite abnormal that panorama reboots by itself. You should open a support case @ PAN.
Anyway, you can use the “less ?” command on the CLI to display many different logs such as “less mp-log sysd.log”.
Or you can try to use scp to export certain logs such as “scp export core-file management-plane from crashinfo to user@host:path”.

Hi, nice job. This is really usefull to day-to-day work. I have a little issue, I hope you could help me: I want to get the name of all vsys with a command, not by pressing ‘tab’ or ‘?’ as in next sentence: “set system setting target-vsys “. Is there some command to get this info?

Hi, We are from Cisco ASA background and facing difficulty while troubleshooting communication issues. Please help if we can test application reachability from PA by doing telnet to destination server on defined ports (telnet 10.10.10.10 443) or ping tcp 10.10.10.10 443

since Palo Alto recognizes the application rather than the port you won’t be able to “telnet x.y.z.t 443”. Palo will recognize this as “telnet on port 443” rather than “ssl on 443”. Hence, you really must test the *real* application you allowed/blocked within your policies.
(If you are facing network issues you can additionally allow “telnet” on port “any” and give it a try. But you should delete this after your tests.)
Or you simply allow ping/icmp/traceroute to test the underlying network infrastructure.
Cheers,
Johannes

Thank you for your reply. My requirement is to test application availability from firewall. We don’t have access to servers and we get tickets saying application is inaccessible. Server default gateway is hosted on Palo Alto and we need to check whether server is responding on desired ports. Ports are different from 443 and I mentioned 443 as an example

I don’t know how to test something like this *from* the firewall itself. This won’t really solve your problem since it would only be a test and not your real scenario.

Check the following:
– Look at your Traffic Log. You must see incoming connections according to your tickets. Are the sessios allowed or blocked? Which application is detected? Maybe you have to look at the “default deny” rule to see which application the Palo Alto detects. (Note that the default deny rule has logging DISabled by default. You must override it to enabled logging.)
– Check the “Bytes sent / Bytes received” on the Traffic Log. If only bytes are sent but NOT received, then your server isn’t answering.
– Check the ARP cache (IPv4) or Neighbor cache (IPv6): Is the server really on the correct subnet/vlan?

Hi – I would like to know if it’s possible to make the standby as active mode via CLI from standby firewall? My firewall running on sw-version: 7.1.8 and has no option to run cli against peer.
I have a situation where the active firewall on high CPU not allowing access via Gui not SSH.

Hello. Do you know of a way to verify a Path Monitor BEFORE it is enabled on a static route? For example, if this were Cisco, I could check the status of the track before applying it to a static route. Thanks.

Uh, that’s a good point. I don’t know. I cannot find a way to prove that when the monitor is enabled.

However, you can use two workarounds:
1) Configure two path monitor destinations for your route, one that succeeds and the other one that you want to test. When you set the failure condition to “all” then your route will stay active since the first destination still works.
2) Configure a dummy route entry with the path monitor you want to test.

To verify the path monitoring from the CLI use the following command:
show routing path-monitor

hi joha,
i have pa-500 box. while committing config it stop at 90%. on my primary t- shoot i get to know that the user id demon was stuck at 70% which causing the issue . In order to resolve the issue we have to restart the demon and also i have the cli command as well . my question is {is there any impact on my network while running the command or we required a down time to do this ?}

Hi SWOPNENDU.
At first: I am not quite sure! Please consider opening a ticket at Palo Alto Networks. They should help you.

However, to my mind, a restart of the User-ID should not affect your network, but *might* affact your User-IP-Mappings for certain amount of time. BUT: I am not sure that this single restart will completely help you. Maybe this is just the first problem you have. I am having lots of problems with my PA-200 during the last few months. In many cases a complete reboot was the only solution. ;(